Multiple RODC’s in the same site?
Posted by BPuhl on January 25, 2008
I mentioned in my previous post, that internally we have been running with RODC’s and full DC’s in the same AD site. Any great benefit to this (other than the complicated GPO replication issue that I posted about?) No, not really. But as Laura pointed out in her comment, it’s useful to remember that while it may not be especially valuable, it’s also not prohibited in any way.
Another common deployment question, is whether or not you can have multiple RODC’s in the same AD site. There are actually 2 different cases here, so let’s look at them both:
(These comments are based on a standard branch office scenario, with an upstream full DC in a site connected by a WAN to the site containing the RODC’s)
Multiple RODC’s from the same domain, in the same site
From a technical/deployment perspective, there isn’t anything stopping you from deploying 2 RODC’s from the same domain into the same site. But there are definitely some important gotcha’s to remember:
1. RODC’s don’t replicate out to anyone – so that means they don’t replicate out to each other either. Therefore, from a replication perspective, each server will still replicate in from a full, upstream DC.
2. Replicated passwords are part of #1 – This is important. If I’m a user in a site, and the site has 2 RODC’s from my domain in them, but only one of them has my password cached. Then if the WAN link goes offline, and I try to log-on, Murphy’s Law says that DCLocator will find the “other” RODC for me (which does not have my password cached). In this case, auth will fail, and I will be an unhappy user. You as the AD admin, will cache a boatload of flack for this flagrant violation of our SLA.
RODC’s from multiple domains, in the same AD site
You would think that this is a good idea, because then all the users in each of the domains could log on, etc… in the site when the WAN link goes down. And you would be mostly correct.
The gotcha here, is that as part of their increased security stance, do not replicate in the passwords for “critical” or “sensitive” accounts. For example, they’ll never replicate in the password for a user who is a DA. Of course, the TDO (Trusted Domain Object) password, is also “sensitive”, so it doesn’t get replicated in either. What this means, is that an RODC is useful for authenticating users to resources within it’s domain, when all of the necessary passwords have been cached. However, you can not perform cross-domain authentication without a full-DC being accessible.